[App_rpt-users] New Official Allstar Distribution Released (DIAL)

Mon Oct 5 21:49:24 UTC 2015

Using a jump box as you describe is one way...not allowing SSH from the outside adds a layer; setting up a secue VDI capability to the jumpbox over a vpn is yet a third way...;). 

my rule: if it's exposed to the net, it's potentially vulnerable.  Just turn on your SIP port and pop some popcorn to see...;)

--
Bryan
Sent from my iPhone 5...No electrons were harmed in the sending of this message.

> On Oct 5, 2015, at 17:39, Steven Donegan <donegan at donegan.org> wrote:
> 
> Direct root login being disallowed IF there were no other way to get full root privileges (not the case here) was considered best practice. However in almost every case there is a user (on Raspbian user pi) that can simply login, sudo -s and do whatever they want. Yes it puts up a small hurdle but I don't see it as a serious one.
> 
> In short, there is almost no setup that will allow you to completely lock out root with the exception of a few well designed appliances. And that means someone is out there doing support to get things resolved. This system is not of that flavor and root is necessary for many things so frankly adding a hurdle or two really doesn't appreciably make the system more secure.
> 
> Require a long pass phrase (say 20 mixed characters or so) and this whole thing is moot...
> 
> And BTW - putting sshd on port 222 (or anything except 22) is security by obscurity - many tools can find standard protocols on non-standard ports :-) (I know, I wrote one)
> 
> The best bet is to not allow ssh at all. If that is not feasible then do the su or sudo thing and/or set up an intermediate system such that you access a non-privileged account on system A, then ssh to system B and system B will ONLY accept ssh from system A. Still can be beaten but it is a bit harder...
> 
> And BTW - I have done infosec for about 20 years so I am allowed to have an opinion on this topic :-)
>  
> Steven Donegan
> KK6IVC General Class FCC License
> Silver State Car #86
> www.sscc.us
> 
> From: Steve Zingman <szingman at msgstor.com>
> To: "app_rpt-users at ohnosec.org" <app_rpt-users at ohnosec.org> 
> Sent: Monday, October 5, 2015 2:24 PM
> Subject: [App_rpt-users] New Official Allstar Distribution Released (DIAL)
> 
> Dave,
> Let's say I agree with you. And I well may.
> On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN. 
> I agree is common practice to not allow it.
> Now the question is why?
> 
> As John McLaughlin would say, DISCUSS!
> 
> On 10/05/2015 08:40 AM, Steve Zingman wrote:
> > root login via SSH is now allowed
> 
> > This is a bad idea.  Root should *never* be allowed to login to a system 
> > remotely.  It's better to log in as a normal user and then become root 
> > via su, sudo, etc.
> 
> > - Dave
> 
> 
> 
> -- 
> "Anything is possible if you don't know what you are talking about."
> 1st Law of Logic
> 
> 
> 
> _______________________________________________
> App_rpt-users mailing list
> App_rpt-users at ohnosec.org
> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
> 
> To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
> You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.
> 
> 
> _______________________________________________
> App_rpt-users mailing list
> App_rpt-users at ohnosec.org
> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
> 
> To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
> You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.keekles.org/pipermail/app_rpt-users/attachments/20151005/581681de/attachment.html>